Re: patch to allow for ssh md5 checking option
Date: Mon, 24 Sep 2007 12:10:36 -0700
Yah, I was thinking of that too, but I needed something now (for
internal use) and the known_hosts format that openssh uses is somewhat
complicated. My hope was maybe it would go in so I don't maintain a
separate branch and at some later point, another option would be
provided which would use a local database (e.g: known_hosts).
Dan Fandrich wrote:
> On Mon, Sep 24, 2007 at 10:49:57AM -0700, Johnny Luong wrote:
>> I've attached a patch (against curl-7.17.0) to the scp/sftp subsystem so
>> that it'll take another option, the md5 fingerprint of the host public
>> key, and fail if it doesn't match up to what the user thinks it should be.
>> Let me know if you have any thoughts on it.
> I think this is a great idea! I like the libcurl side of things (although
> I think the code should err out in the case
> (data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5] &&
> strlen(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) != 32)
> ), but I think expecting the user to provide a MD5 string on the command-line
> is a bit much to expect on the curl side and will seldom get used. Instead,
> I think curl should automatically derive the MD5 fingerprint directly
> from a host entry in an OpenSSH-compatible ~/.ssh/known_hosts file,
> with a command-line option used to disable that check (like -k for SSL).
- application/pgp-signature attachment: OpenPGP digital signature